Regenerate manual pages.
[dragonfly.git] / secure / lib / libssl / man / SSL_CTX_set_max_cert_list.3
CommitLineData
e056f0e0
JR
1.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
2.\"
3.\" Standard preamble:
4.\" ========================================================================
5.de Sh \" Subsection heading
984263bc
MD
6.br
7.if t .Sp
8.ne 5
9.PP
10\fB\\$1\fR
11.PP
12..
e056f0e0 13.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
14.if t .sp .5v
15.if n .sp
16..
e056f0e0 17.de Vb \" Begin verbatim text
984263bc
MD
18.ft CW
19.nf
20.ne \\$1
21..
e056f0e0 22.de Ve \" End verbatim text
984263bc 23.ft R
984263bc
MD
24.fi
25..
e056f0e0
JR
26.\" Set up some character translations and predefined strings. \*(-- will
27.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
28.\" double quote, and \*(R" will give a right double quote. | will give a
29.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
30.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
31.\" expand to `' in nroff, nothing in troff, for use with C<>.
984263bc 32.tr \(*W-|\(bv\*(Tr
e056f0e0 33.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 34.ie n \{\
e056f0e0
JR
35. ds -- \(*W-
36. ds PI pi
37. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
38. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
39. ds L" ""
40. ds R" ""
41. ds C` ""
42. ds C' ""
984263bc
MD
43'br\}
44.el\{\
e056f0e0
JR
45. ds -- \|\(em\|
46. ds PI \(*p
47. ds L" ``
48. ds R" ''
984263bc 49'br\}
e056f0e0
JR
50.\"
51.\" If the F register is turned on, we'll generate index entries on stderr for
52.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
53.\" entries marked with X<> in POD. Of course, you'll have to process the
54.\" output yourself in some meaningful fashion.
55.if \nF \{\
56. de IX
57. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 58..
e056f0e0
JR
59. nr % 0
60. rr F
984263bc 61.\}
e056f0e0
JR
62.\"
63.\" For nroff, turn off justification. Always turn off hyphenation; it makes
64.\" way too many mistakes in technical documents.
65.hy 0
984263bc 66.if n .na
e056f0e0
JR
67.\"
68.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
69.\" Fear. Run. Save yourself. No user-serviceable parts.
70. \" fudge factors for nroff and troff
984263bc 71.if n \{\
e056f0e0
JR
72. ds #H 0
73. ds #V .8m
74. ds #F .3m
75. ds #[ \f1
76. ds #] \fP
984263bc
MD
77.\}
78.if t \{\
e056f0e0
JR
79. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
80. ds #V .6m
81. ds #F 0
82. ds #[ \&
83. ds #] \&
984263bc 84.\}
e056f0e0 85. \" simple accents for nroff and troff
984263bc 86.if n \{\
e056f0e0
JR
87. ds ' \&
88. ds ` \&
89. ds ^ \&
90. ds , \&
91. ds ~ ~
92. ds /
984263bc
MD
93.\}
94.if t \{\
e056f0e0
JR
95. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
96. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
97. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
98. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
99. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
100. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 101.\}
e056f0e0 102. \" troff and (daisy-wheel) nroff accents
984263bc
MD
103.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
104.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
105.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
106.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
107.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
108.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
109.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
110.ds ae a\h'-(\w'a'u*4/10)'e
111.ds Ae A\h'-(\w'A'u*4/10)'E
e056f0e0 112. \" corrections for vroff
984263bc
MD
113.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
114.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
e056f0e0 115. \" for low resolution devices (crt and lpr)
984263bc
MD
116.if \n(.H>23 .if \n(.V>19 \
117\{\
e056f0e0
JR
118. ds : e
119. ds 8 ss
120. ds o a
121. ds d- d\h'-1'\(ga
122. ds D- D\h'-1'\(hy
123. ds th \o'bp'
124. ds Th \o'LP'
125. ds ae ae
126. ds Ae AE
984263bc
MD
127.\}
128.rm #[ #] #H #V #F C
e056f0e0
JR
129.\" ========================================================================
130.\"
131.IX Title "SSL_CTX_set_max_cert_list 3"
132.TH SSL_CTX_set_max_cert_list 3 "2004-12-22" "0.9.7e" "OpenSSL"
984263bc
MD
133.SH "NAME"
134SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list, \- manipulate allowed for the peer's certificate chain
135.SH "SYNOPSIS"
e056f0e0 136.IX Header "SYNOPSIS"
984263bc
MD
137.Vb 1
138\& #include <openssl/ssl.h>
139.Ve
e056f0e0 140.PP
984263bc
MD
141.Vb 2
142\& long SSL_CTX_set_max_cert_list(SSL_CTX *ctx, long size);
143\& long SSL_CTX_get_max_cert_list(SSL_CTX *ctx);
144.Ve
e056f0e0 145.PP
984263bc
MD
146.Vb 2
147\& long SSL_set_max_cert_list(SSL *ssl, long size);
148\& long SSL_get_max_cert_list(SSL *ctx);
149.Ve
150.SH "DESCRIPTION"
e056f0e0
JR
151.IX Header "DESCRIPTION"
152\&\fISSL_CTX_set_max_cert_list()\fR sets the maximum size allowed for the peer's
153certificate chain for all \s-1SSL\s0 objects created from \fBctx\fR to be <size> bytes.
154The \s-1SSL\s0 objects inherit the setting valid for \fBctx\fR at the time
155\&\fISSL_new\fR\|(3) is being called.
984263bc 156.PP
e056f0e0 157\&\fISSL_CTX_get_max_cert_list()\fR returns the currently set maximum size for \fBctx\fR.
984263bc 158.PP
e056f0e0 159\&\fISSL_set_max_cert_list()\fR sets the maximum size allowed for the peer's
984263bc
MD
160certificate chain for \fBssl\fR to be <size> bytes. This setting stays valid
161until a new value is set.
162.PP
e056f0e0 163\&\fISSL_get_max_cert_list()\fR returns the currently set maximum size for \fBssl\fR.
984263bc 164.SH "NOTES"
e056f0e0 165.IX Header "NOTES"
984263bc 166During the handshake process, the peer may send a certificate chain.
e056f0e0 167The \s-1TLS/SSL\s0 standard does not give any maximum size of the certificate chain.
984263bc
MD
168The OpenSSL library handles incoming data by a dynamically allocated buffer.
169In order to prevent this buffer from growing without bounds due to data
170received from a faulty or malicious peer, a maximum size for the certificate
171chain is set.
172.PP
173The default value for the maximum certificate chain size is 100kB (30kB
e056f0e0 174on the 16bit \s-1DOS\s0 platform). This should be sufficient for usual certificate
984263bc 175chains (OpenSSL's default maximum chain length is 10, see
e056f0e0
JR
176\&\fISSL_CTX_set_verify\fR\|(3), and certificates
177without special extensions have a typical size of 1\-2kB).
984263bc
MD
178.PP
179For special applications it can be necessary to extend the maximum certificate
180chain size allowed to be sent by the peer, see e.g. the work on
e056f0e0
JR
181\&\*(L"Internet X.509 Public Key Infrastructure Proxy Certificate Profile\*(R"
182and \*(L"\s-1TLS\s0 Delegation Protocol\*(R" at http://www.ietf.org/ and
984263bc
MD
183http://www.globus.org/ .
184.PP
185Under normal conditions it should never be necessary to set a value smaller
186than the default, as the buffer is handled dynamically and only uses the
187memory actually required by the data sent by the peer.
188.PP
189If the maximum certificate chain size allowed is exceeded, the handshake will
e056f0e0 190fail with a \s-1SSL_R_EXCESSIVE_MESSAGE_SIZE\s0 error.
984263bc 191.SH "RETURN VALUES"
e056f0e0
JR
192.IX Header "RETURN VALUES"
193\&\fISSL_CTX_set_max_cert_list()\fR and \fISSL_set_max_cert_list()\fR return the previously
984263bc
MD
194set value.
195.PP
e056f0e0 196\&\fISSL_CTX_get_max_cert_list()\fR and \fISSL_get_max_cert_list()\fR return the currently
984263bc
MD
197set value.
198.SH "SEE ALSO"
a7d27d5a 199.IX Header "SEE ALSO"
e056f0e0
JR
200\&\fIssl\fR\|(3), \fISSL_new\fR\|(3),
201\&\fISSL_CTX_set_verify\fR\|(3)
202.SH "HISTORY"
a7d27d5a 203.IX Header "HISTORY"
e056f0e0 204SSL*_set/\fIget_max_cert_list()\fR have been introduced in OpenSSL 0.9.7.